Macromedia DW MX PHP Authentication Suit Vulnerabilities

From: Lorenzo Hernandez Garcia-Hierro (novappc_at_novappc.com)
Date: 08/04/03

  • Next message: Thijs Dalhuijsen: "Re: Another way to crash IE"
    Date: Mon, 4 Aug 2003 17:08:02 +0200
    To: bugtraq@securityfocus.com
    
    

    -------------------
    Product: PHP Authentication Suit for DreamWeaver
    Vendor: Macromedia
    Versions:
    VULNERABLE

    - DreamWeaver MX 6.0
    - All the PHP Auth systems created with this
    - Variables : ALL LIKE accessdenied

    NOT VULNERABLE

    - ?
    ---------------------

    Description:

    The PHP User Authentication Suite consists of four server behaviors for
    restricting access to websites for the Dreamweaver MX PHP server model.
    The four server behaviors are:
    - Log In User
    - Restrict Access to Page
    - Log Out User
    - Check New Username

    -----------------------------------------
    SECURITY HOLES FOUND and PROOFS OF CONCEPT:
    -----------------------------------------

    I encountered a XSS ( Cross Site Scripting ) vulnerability in the LOGIN
    system that allows you to include script code
    in the result page / login form.

    ---------------------
    | XSS IN |
    | LOGIN FORMS |
    ---------------------

    The XSS is in the variable of the access denied to url ( url encoded ) :

    http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]=%2F
    [DIR1]%2F[DIR2]%2F[DIR3]%2F[FORBIDDEN PAGE]

    This occurs when you attempt to access to a page of the website that
    requires a valid authentication tokens.

    The page redirects you to the [LOGIN PAGE] and it includes an special
    variable in query , [ACCESS DENIED VARIABLE]= with
    the denied page url that was accessed ( from the root directory ,
    e.x. /dir1/dir2/dir3/secret.php ) encoded with url strings.

    The XSS attack occurs when you write script code in the variable by
    closing the form tags:

    http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]
    ="><script>alert('.::\/\|NSRG-18-7|/\/::.');</script>

    Examples:

    http://www.victim.foo/secrets/login.php?accessdenied=%2Fsecrets%
    2Findex.php <- ( /secrets/index.php )

    http://www3.bigbank.biz/admin/ccarddb/admin.php?accessdenied=%2Fadmin%
    2Fccarddb%2Fexport.database.content.php <-
    ( /admin/ccarddb/export.database.content.php )

    http://www.sco.fm/is/a/big/*h*t.php?notalinuxerror=%2Flinuxsourcecode%
    2Fcopytosco.php <- ( /linuxsourcecode/copytosco.php )

    - Proof of Concepts: -

    Access to a forbidden page , get an url like this:

    http://TESTING.FOO/SECRETS/LOGIN1.php?[ACCESS DENIED VARIABLE]=%
    2Fsecrets%2Fbankaccounts.php

    And modify the variable like this:

    http://TESTING.FOO/SECRETS/LOGIN1.php?ACCESSDENIED="><iframe src="ANTI-
    TESTING.FOO"></iframe>

    -----------
    | CODES |
    -----------

    The LOGIN Page code:

    <?php require_once('[SQL CONNECTION]'); ?>
    <?php
    // *** Logout the current user.
    $FF_Logout = $HTTP_SERVER_VARS['PHP_SELF'] . "?FF_Logoutnow=1";
    if (isset($HTTP_GET_VARS['FF_Logoutnow']) && $HTTP_GET_VARS
    ['FF_Logoutnow']=="1") {
      session_start();
      session_unregister("MM_Username");
      session_unregister("MM_UserAuthorization");
      $FF_logoutRedirectPage = "[LOGIN PAGE]";
      // redirect with URL parameters (remove the "FF_Logoutnow" query
    param).
      if ($FF_logoutRedirectPage == "") $FF_logoutRedirectPage =
    $HTTP_SERVER_VARS['PHP_SELF'];
      if (!strpos($FF_logoutRedirectPage, "?") && $HTTP_SERVER_VARS
    ['QUERY_STRING'] != "") {
        $FF_newQS = "?";
        reset ($HTTP_GET_VARS);
        while (list ($key, $val) = each ($HTTP_GET_VARS)) {
          if($key != "FF_Logoutnow"){
            if (strlen($FF_newQS) > 1) $FF_newQS .= "&";
            $FF_newQS .= $key . "=" . urlencode($val);
          }
        }
        if (strlen($FF_newQS) > 1) $FF_logoutRedirectPage .= $FF_newQS;
      }
      header("Location: $FF_logoutRedirectPage");
      exit;
    }

    // *** Start the session
    session_start();
    // *** Validate request to log in to this site.
    $FF_LoginAction = $HTTP_SERVER_VARS['PHP_SELF'];
    if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS
    ['QUERY_STRING']!="") $FF_LoginAction .= "?".$HTTP_SERVER_VARS
    ['QUERY_STRING'];
    if (isset($HTTP_POST_VARS['username'])) {
      $FF_valUsername=$HTTP_POST_VARS['username'];
      $FF_valPassword=$HTTP_POST_VARS['password'];
      $FF_fldUserAuthorization="UID";
      $FF_redirectLoginSuccess="access_granted.php";
      $FF_redirectLoginFailed="access_denied.php";
      $FF_rsUser_Source="SELECT USERNAME, PASSWD ";
      if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," .
    $FF_fldUserAuthorization;
      $FF_rsUser_Source .= " FROM [TABLE] WHERE USERNAME='" .
    $FF_valUsername . "' AND PASSWD='" . $FF_valPassword . "'";
      mysql_select_db($database_unp43s, $unp43s);
      $FF_rsUser=mysql_query($FF_rsUser_Source, $unp43s) or die(mysql_error
    ());
      $row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
      if(mysql_num_rows($FF_rsUser) > 0) {
        // username and password match - this is a valid user
        $MM_Username=$FF_valUsername;
        session_register("MM_Username");
        if ($FF_fldUserAuthorization != "") {
          $MM_UserAuthorization=$row_FF_rsUser[$FF_fldUserAuthorization];
        } else {
          $MM_UserAuthorization="";
        }
    ************************************************************************
    *****\THIS PART INCLUDES THE AFFECTED VARIABLES
     session_register("MM_UserAuthorization");
        if (isset($accessdenied) && false) {
          $FF_redirectLoginSuccess = $accessdenied;
        }
        mysql_free_result($FF_rsUser);
        session_register("FF_login_failed");
            $FF_login_failed = false;
        header ("Location: $FF_redirectLoginSuccess");
        exit;
      }
      mysql_free_result($FF_rsUser);
      session_register("FF_login_failed");
      $FF_login_failed = true;
      header ("Location: $FF_redirectLoginFailed");
      exit;
    }

    ?>

    \\\\\\\\\\\\\\\\\\\\\\\\\\/::.- Access Restriction system with the XSS

    <?php
    // *** Restrict Access To Page: Grant or deny access to this page
    $FF_authorizedUsers=" xXx";
    $FF_authFailedURL="[LOGIN PAGE]";
    $FF_grantAccess=0;
    session_start();
    if (isset($HTTP_SESSION_VARS["MM_Username"])) {
      if (true || !(isset($HTTP_SESSION_VARS["MM_UserAuthorization"])) ||
    $HTTP_SESSION_VARS["MM_UserAuthorization"]=="" || strpos
    ($FF_authorizedUsers, $HTTP_SESSION_VARS["MM_UserAuthorization"])) {
        $FF_grantAccess = 1;
      }
    }
    if (!$FF_grantAccess) {
      $FF_qsChar = "?";
      if (strpos($FF_authFailedURL, "?")) $FF_qsChar = "&";
      $FF_referrer = $HTTP_SERVER_VARS['PHP_SELF'];
      if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && strlen
    ($HTTP_SERVER_VARS['QUERY_STRING']) > 0) $FF_referrer .= "?" .
    $HTTP_SERVER_VARS['QUERY_STRING'];
     -----------------------------------------------------------------------
    --->
    ////////////////////////////////////////////////////////////////////////
    ////////////////////////////\
      $FF_authFailedURL = $FF_authFailedURL .
    $FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
    ////////////////////////////////////////////////////////////////////////
    //////////////////////////\ \ \
    ________________________________________________________________________
    ________________________________
      header("Location: $FF_authFailedURL");
      exit;
    }
    ?>
    \\\\\\\\\\\\\\\\\\\\\\ now the affected code at access restriction
    system

    -----------
    |solution:|
    -----------

    Replace :

     -----------------------------------------------------------------------
    --->
    ////////////////////////////////////////////////////////////////////////
    ////////////////////////////\
      $FF_authFailedURL = $FF_authFailedURL .
    $FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
    ////////////////////////////////////////////////////////////////////////
    //////////////////////////\ \ \
    ________________________________________________________________________
    ________________________________

    with:

     -----------------------------------------------------------------------
    --->
    ////////////////////////////////////////////////////////////////////////
    ////////////////////////////\
      $FF_authFailedURL = $FF_authFailedURL .
    $FF_qsChar . "accessdenied=Your attempt was recorded";//\ \
    ////////////////////////////////////////////////////////////////////////
    //////////////////////////\ \ \
    ________________________________________________________________________
    ________________________________

    -----------
    | CONTACT |
    -----------

    Lorenzo Hernandez Garcia-Hierro
    --- Computer Security Analyzer ---
    --Nova Projects Professional Coding--
    PGP: Keyfingerprint
    B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
    ID: 0x9C38E1D7
    **********************************
    www.novappc.com
    security.novappc.com
    www.lorenzohgh.com
    ______________________


  • Next message: Thijs Dalhuijsen: "Re: Another way to crash IE"

    Relevant Pages

    • RE: [PHP] why?
      ... It doesn't work together with Windows ... PHP) you mean? ... access to the initial login values ... What we shoot for is Single Source Authentication. ...
      (php.general)
    • Re: php vs. apache login verification security?
      ... > The PHP solution is better in my opinion, ... > the login and timeout check, and a redirection to a login page the user is ... The biggest drawback on PHP authentication is that you can only check ... When somebody request foo.doc your authentication ...
      (alt.php)
    • RE: Forms based authentication + multiple applications + directory ser
      ... For single sign on across apps, you have to persist the sign on. ... Cross product authentication makes things hard, as PHP does not respect IIS ... > I want to be able to keep the login of the user, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • [Full-Disclosure] Macromedia DW MX PHP Authentication Suit Vulnerabilities
      ... Macromedia DW MX PHP Authentication Suit Vulnerabilities ... PHP Authentication Suit for DreamWeaver ... I encountered a XSS vulnerability in the LOGIN ...
      (Full-Disclosure)
    • Re: enable smart card authentication on iis with php
      ... need PHP. ... I login with smartcard and websites automatically get my user ... IIS has no authentication type called "Smart card", ...
      (microsoft.public.inetserver.iis.security)